diff --git a/Cargo.lock b/Cargo.lock index a905ccaa6..48f823558 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4,11 +4,11 @@ version = 3 [[package]] name = "actix-codec" -version = "0.5.1" +version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "617a8268e3537fe1d8c9ead925fca49ef6400927ee7bc26750e90ecee14ce4b8" +checksum = "5f7b0a21988c1bf877cf4759ef5ddaac04c1c9fe808c9142ecb78ba97d97a28a" dependencies = [ - "bitflags 1.3.2", + "bitflags 2.4.2", "bytes", "futures-core", "futures-sink", @@ -31,8 +31,8 @@ dependencies = [ "actix-tls", "actix-utils", "ahash 0.8.7", - "base64 0.21.6", - "bitflags 2.4.1", + "base64 0.21.7", + "bitflags 2.4.2", "brotli", "bytes", "bytestring", @@ -122,9 +122,9 @@ dependencies = [ [[package]] name = "actix-tls" -version = "3.1.1" +version = "3.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72616e7fbec0aa99c6f3164677fa48ff5a60036d0799c98cab894a44f3e0efc3" +checksum = "929e47cc23865cdb856e59673cfba2d28f00b3bbd060dfc80e33a00a3cea8317" dependencies = [ "actix-rt", "actix-service", @@ -133,8 +133,6 @@ dependencies = [ "impl-more", "openssl", "pin-project-lite", - "rustls 0.21.10", - "rustls-webpki", "tokio", "tokio-openssl", "tokio-rustls 0.23.4", @@ -173,7 +171,7 @@ dependencies = [ "bytes", "bytestring", "cfg-if", - "cookie", + "cookie 0.16.2", "derive_more", "encoding_rs", "futures-core", @@ -214,7 +212,7 @@ checksum = "1d613edf08a42ccc6864c941d30fe14e1b676a77d16f1dbadc1174d065a0a775" dependencies = [ "actix-utils", "actix-web", - "base64 0.21.6", + "base64 0.21.7", "futures-core", "futures-util", "log", @@ -345,9 +343,9 @@ dependencies = [ [[package]] name = "anstream" -version = "0.6.5" +version = "0.6.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d664a92ecae85fd0a7392615844904654d1d5f5514837f471ddef4a057aba1b6" +checksum = "6e2e1ebcb11de5c03c67de28a7df593d32191b44939c482e97702baaaa6ab6a5" dependencies = [ "anstyle", "anstyle-parse", @@ -359,9 +357,9 @@ dependencies = [ [[package]] name = "anstyle" -version = "1.0.4" +version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7079075b41f533b8c61d2a4d073c4676e1f8b249ff94a393b0595db304e0dd87" +checksum = "2faccea4cc4ab4a667ce676a30e8ec13922a692c99bb8f5b11f1502c72e04220" [[package]] name = "anstyle-parse" @@ -407,11 +405,11 @@ dependencies = [ "anyhow", "async-trait", "attestation-service", - "base64 0.21.6", + "base64 0.21.7", "cfg-if", - "clap 4.4.14", + "clap 4.4.18", "config", - "env_logger 0.10.1", + "env_logger 0.10.2", "jsonwebtoken", "jwt-simple", "kbs-types", @@ -531,10 +529,10 @@ dependencies = [ "anyhow", "assert-json-diff", "async-trait", - "base64 0.21.6", + "base64 0.21.7", "cfg-if", - "clap 4.4.14", - "env_logger 0.10.1", + "clap 4.4.18", + "env_logger 0.10.2", "futures", "hex", "kbs-types", @@ -566,13 +564,13 @@ dependencies = [ [[package]] name = "attester" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=42b7c96#42b7c9687ecd0907ef70da31cf290a60ee8432cd" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=8b0dbeb#8b0dbebf714b69c162c0c34b3b53d72e2da665b8" dependencies = [ "anyhow", "async-trait", - "az-snp-vtpm 0.5.0", - "az-tdx-vtpm 0.5.0", - "base64 0.21.6", + "az-snp-vtpm", + "az-tdx-vtpm", + "base64 0.21.7", "codicon", "csv-rs", "hyper", @@ -653,30 +651,9 @@ dependencies = [ [[package]] name = "az-cvm-vtpm" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8810a74cfe3024bdfd6bf13e1829114a3ce5431b7d2ef4e4a718a78ffaf03f79" -dependencies = [ - "bincode", - "jsonwebkey", - "memoffset 0.9.0", - "openssl", - "rsa 0.8.2", - "serde", - "serde-big-array", - "serde_json", - "sev", - "sha2", - "thiserror", - "tss-esapi", - "zerocopy", -] - -[[package]] -name = "az-cvm-vtpm" -version = "0.5.0" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9eeac6951cedbd3185174f1dc20ad8832ae61f7412d1a76021932b78b2d13e81" +checksum = "a10f6fa739b35830481a36f199a57cdcb4dbea2dbc416070a1a9618dd4d4df2a" dependencies = [ "bincode", "jsonwebkey", @@ -695,13 +672,13 @@ dependencies = [ [[package]] name = "az-snp-vtpm" -version = "0.4.1" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b0703ff4c71faae6f5ab21ac8590104e771d17ff117f6941a48deb3db6f75769" +checksum = "45e9b802881e606ed0a259218dfb657e2a9130f37bf4161ff8db5c4ed10488c5" dependencies = [ - "az-cvm-vtpm 0.4.1", + "az-cvm-vtpm", "bincode", - "clap 4.4.14", + "clap 4.4.18", "openssl", "serde", "sev", @@ -709,44 +686,13 @@ dependencies = [ "ureq", ] -[[package]] -name = "az-snp-vtpm" -version = "0.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4e7ac600f726394c4174145c5d65a0cc8052b35a383e9d2be0a0d9209b545b1" -dependencies = [ - "az-cvm-vtpm 0.5.0", - "bincode", - "clap 4.4.14", - "serde", - "sev", - "thiserror", - "ureq", -] - [[package]] name = "az-tdx-vtpm" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b42775a99133b9c0edff34fb463713bb197f744b96d74dee5c1f953434721001" -dependencies = [ - "az-cvm-vtpm 0.4.1", - "base64-url", - "bincode", - "serde", - "serde_json", - "thiserror", - "ureq", - "zerocopy", -] - -[[package]] -name = "az-tdx-vtpm" -version = "0.5.0" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f74c823342c57ca6b79195beea11a458485456aaa1fdf9263160e7bc4ade3b1b" +checksum = "d5e9475a3a25803c9ada11c2481356dd1e4c4fafe56a97ee6566a61c1d7d5832" dependencies = [ - "az-cvm-vtpm 0.5.0", + "az-cvm-vtpm", "base64-url", "bincode", "serde", @@ -785,9 +731,9 @@ checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" [[package]] name = "base64" -version = "0.21.6" +version = "0.21.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c79fed4cdb43e993fcdadc7e58a09fd0e3e649c4436fa11da71c9f1f3ee7feb9" +checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567" [[package]] name = "base64-url" @@ -795,7 +741,7 @@ version = "2.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fb9fb9fb058cc3063b5fc88d9a21eefa2735871498a04e1650da76ed511c8569" dependencies = [ - "base64 0.21.6", + "base64 0.21.7", ] [[package]] @@ -885,9 +831,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "bitflags" -version = "2.4.1" +version = "2.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "327762f6e5a765692301e5bb513e0d9fef63be86bbc14528052b1cd3e6f03e07" +checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "block-buffer" @@ -1001,9 +947,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "chrono" -version = "0.4.31" +version = "0.4.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f2c685bad3eb3d45a01354cedb7d5faa66194d1d58ba6e267a8de788f79db38" +checksum = "9f13690e35a5e4ace198e7beea2895d29f3a9cc55015fcebe6336bd2010af9eb" dependencies = [ "android-tzdata", "iana-time-zone", @@ -1011,14 +957,14 @@ dependencies = [ "num-traits", "serde", "wasm-bindgen", - "windows-targets 0.48.5", + "windows-targets 0.52.0", ] [[package]] name = "ciborium" -version = "0.2.1" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "effd91f6c78e5a4ace8a5d3c0b6bfaec9e2baaef55f3efc00e45fb2e477ee926" +checksum = "42e69ffd6f0917f5c029256a24d0161db17cea3997d185db0d35926308770f0e" dependencies = [ "ciborium-io", "ciborium-ll", @@ -1027,15 +973,15 @@ dependencies = [ [[package]] name = "ciborium-io" -version = "0.2.1" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cdf919175532b369853f5d5e20b26b43112613fd6fe7aee757e35f7a44642656" +checksum = "05afea1e0a06c9be33d539b876f1ce3692f4afea2cb41f740e7743225ed1c757" [[package]] name = "ciborium-ll" -version = "0.2.1" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "defaa24ecc093c77630e6c15e17c51f5e187bf35ee514f4e2d67baaa96dae22b" +checksum = "57663b653d948a338bfb3eeba9bb2fd5fcfaecb9e199e87e1eda4d9e8b240fd9" dependencies = [ "ciborium-io", "half", @@ -1094,9 +1040,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.4.14" +version = "4.4.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33e92c5c1a78c62968ec57dbc2440366a2d6e5a23faf829970ff1585dc6b18e2" +checksum = "1e578d6ec4194633722ccf9544794b71b1385c3c027efe0c55db226fc880865c" dependencies = [ "clap_builder", "clap_derive", @@ -1104,9 +1050,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.4.14" +version = "4.4.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f4323769dc8a61e2c39ad7dc26f6f2800524691a44d74fe3d1071a5c24db6370" +checksum = "4df4df40ec50c46000231c914968278b1eb05098cf8f1b3a518a95030e71d1c7" dependencies = [ "anstream", "anstyle", @@ -1233,14 +1179,25 @@ dependencies = [ "version_check", ] +[[package]] +name = "cookie" +version = "0.17.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7efb37c3e1ccb1ff97164ad95ac1606e8ccd35b3fa0a7d99a304c7f4a428cc24" +dependencies = [ + "percent-encoding", + "time", + "version_check", +] + [[package]] name = "cookie_store" -version = "0.16.2" +version = "0.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d606d0fba62e13cf04db20536c05cb7f13673c161cb47a47a82b9b9e7d3f1daa" +checksum = "387461abbc748185c3a6e1673d826918b450b87ff22639429c694619a83b6cf6" dependencies = [ - "cookie", - "idna 0.2.3", + "cookie 0.17.0", + "idna 0.3.0", "log", "publicsuffix", "serde", @@ -1310,14 +1267,20 @@ version = "0.8.19" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "248e3bacc7dc6baa3b21e405ee045c3047101a49145e7e9eca583ab4c2ca5345" +[[package]] +name = "crunchy" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" + [[package]] name = "crypto" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=42b7c96#42b7c9687ecd0907ef70da31cf290a60ee8432cd" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=8b0dbeb#8b0dbebf714b69c162c0c34b3b53d72e2da665b8" dependencies = [ "aes-gcm", "anyhow", - "base64 0.21.6", + "base64 0.21.7", "ctr", "kbs-types", "rand", @@ -1556,7 +1519,7 @@ name = "ear" version = "0.1.0" source = "git+https://github.com/veraison/rust-ear?rev=cc6ea53#cc6ea5318b91f3038e337bdbaad0e9fb0fa2af2a" dependencies = [ - "base64 0.21.6", + "base64 0.21.7", "ciborium", "cose-rust", "hex", @@ -1676,9 +1639,9 @@ dependencies = [ [[package]] name = "env_logger" -version = "0.10.1" +version = "0.10.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95b3f3e67048839cb0d0781f445682a35113da7121f7c949db0e2be96a4fbece" +checksum = "4cd405aab171cb85d6735e5c8d9db038c17d3ca007a4d2c25f337935c3d90580" dependencies = [ "humantime", "is-terminal", @@ -1966,9 +1929,9 @@ dependencies = [ [[package]] name = "h2" -version = "0.3.23" +version = "0.3.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b553656127a00601c8ae5590fcfdc118e4083a7924b6cf4ffc1ea4b99dc429d7" +checksum = "bb2c4422095b67ee78da96fbb51a4cc413b3b25883c7717ff7ca1ab31022c9c9" dependencies = [ "bytes", "fnv", @@ -1976,7 +1939,7 @@ dependencies = [ "futures-sink", "futures-util", "http", - "indexmap 2.1.0", + "indexmap 2.2.1", "slab", "tokio", "tokio-util", @@ -1985,9 +1948,13 @@ dependencies = [ [[package]] name = "half" -version = "1.8.2" +version = "2.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eabb4a44450da02c90444cf74558da904edde8fb4e9035a9a6a4e15445af0bd7" +checksum = "bc52e53916c08643f1b56ec082790d1e86a32e58dc5268f897f313fbae7b4872" +dependencies = [ + "cfg-if", + "crunchy", +] [[package]] name = "hashbrown" @@ -2021,9 +1988,9 @@ dependencies = [ [[package]] name = "hermit-abi" -version = "0.3.3" +version = "0.3.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d77f7ec81a6d05a3abb01ab6eb7590f6083d08449fe5a1c8b1e620283546ccb7" +checksum = "5d3d0e0f38255e7fa3cf31335b3a56f05febd18025f4db5ef7a0cfb4f8da651f" [[package]] name = "hex" @@ -2220,17 +2187,6 @@ version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39" -[[package]] -name = "idna" -version = "0.2.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "418a0a6fab821475f634efe3ccc45c013f742efe03d853e8d3355d5cb850ecf8" -dependencies = [ - "matches", - "unicode-bidi", - "unicode-normalization", -] - [[package]] name = "idna" version = "0.3.0" @@ -2269,9 +2225,9 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.1.0" +version = "2.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d530e1a18b1cb4c484e6e34556a0d948706958449fca0cab753d649f2bce3d1f" +checksum = "433de089bd45971eecf4668ee0ee8f4cec17db4f8bd8f7bc3197a6ce37aa7d9b" dependencies = [ "equivalent", "hashbrown 0.14.3", @@ -2314,7 +2270,7 @@ version = "0.4.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0bad00257d07be169d870ab665980b06cdb366d792ad690bf2e76876dc503455" dependencies = [ - "hermit-abi 0.3.3", + "hermit-abi 0.3.4", "rustix", "windows-sys 0.52.0", ] @@ -2351,9 +2307,9 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.66" +version = "0.3.67" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cee9c64da59eae3b50095c18d3e74f8b73c0b86d2792824ff01bbce68ba229ca" +checksum = "9a1d36f1235bc969acba30b7f5990b864423a6068a10f7c90ae8f0112e3a59d1" dependencies = [ "wasm-bindgen", ] @@ -2392,7 +2348,7 @@ version = "8.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6971da4d9c3aa03c3d8f3ff0f4155b534aad021292003895a469716b2a230378" dependencies = [ - "base64 0.21.6", + "base64 0.21.7", "pem", "ring 0.16.20", "serde", @@ -2447,8 +2403,8 @@ dependencies = [ "anyhow", "api-server", "cfg-if", - "clap 4.4.14", - "env_logger 0.10.1", + "clap 4.4.18", + "env_logger 0.10.2", "log", "tokio", ] @@ -2458,9 +2414,9 @@ name = "kbs-client" version = "0.1.0" dependencies = [ "anyhow", - "base64 0.21.6", - "clap 4.4.14", - "env_logger 0.10.1", + "base64 0.21.7", + "clap 4.4.18", + "env_logger 0.10.2", "jwt-simple", "kbs_protocol", "log", @@ -2483,12 +2439,12 @@ dependencies = [ [[package]] name = "kbs_protocol" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=42b7c96#42b7c9687ecd0907ef70da31cf290a60ee8432cd" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=8b0dbeb#8b0dbebf714b69c162c0c34b3b53d72e2da665b8" dependencies = [ "anyhow", "async-trait", "attester", - "base64 0.21.6", + "base64 0.21.7", "crypto", "jwt-simple", "kbs-types", @@ -2519,7 +2475,7 @@ version = "0.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9002dff009755414f22b962ec6ae6980b07d6d8b06e5297b1062019d72bd6a8c" dependencies = [ - "bitflags 2.4.1", + "bitflags 2.4.2", "kvm-bindings", "libc", "vmm-sys-util", @@ -2548,9 +2504,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" -version = "0.2.152" +version = "0.2.153" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13e3bf6590cbc649f4d1a3eefc9d5d6eb746f5200ffb04e5e142700b8faa56e7" +checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" [[package]] name = "libgit2-sys" @@ -2586,16 +2542,16 @@ version = "0.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "85c833ca1e66078851dba29046874e38f08b2c883700aa29a03ddd3b23814ee8" dependencies = [ - "bitflags 2.4.1", + "bitflags 2.4.2", "libc", "redox_syscall 0.4.1", ] [[package]] name = "libz-sys" -version = "1.1.14" +version = "1.1.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "295c17e837573c8c821dbaeb3cceb3d745ad082f7572191409e69cbc1b3fd050" +checksum = "037731f5d3aaa87a5675e895b63ddff1a87624bc29f77004ea829809654e48f6" dependencies = [ "cc", "libc", @@ -2611,9 +2567,9 @@ checksum = "0717cef1bc8b636c6e1c1bbdefc09e6322da8a9321966e8928ef80d20f7f770f" [[package]] name = "linux-raw-sys" -version = "0.4.12" +version = "0.4.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c4cd1a83af159aa67994778be9070f0ae1bd732942279cabb14f86f986a21456" +checksum = "01cda141df6706de531b6c46c3a33ecca755538219bd484262fa09410c13539c" [[package]] name = "local-channel" @@ -2648,12 +2604,6 @@ version = "0.4.20" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b5e6163cb8c49088c2c36f57875e58ccd8c87c7427f7fbd50ea6710b2f3f2e8f" -[[package]] -name = "matches" -version = "0.1.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2532096657941c2fea9c289d370a250971c689d4f143798ff67113ec042024a5" - [[package]] name = "matchit" version = "0.7.3" @@ -2901,7 +2851,7 @@ version = "1.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43" dependencies = [ - "hermit-abi 0.3.3", + "hermit-abi 0.3.4", "libc", ] @@ -2965,11 +2915,11 @@ checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" [[package]] name = "openssl" -version = "0.10.62" +version = "0.10.63" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8cde4d2d9200ad5909f8dac647e29482e07c3a35de8a13fce7c9c7747ad9f671" +checksum = "15c9d69dd87a29568d4d017cfe8ec518706046a05184e5aea92d0af890b803c8" dependencies = [ - "bitflags 2.4.1", + "bitflags 2.4.2", "cfg-if", "foreign-types", "libc", @@ -2997,18 +2947,18 @@ checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" [[package]] name = "openssl-src" -version = "300.1.6+3.1.4" +version = "300.2.2+3.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "439fac53e092cd7442a3660c85dde4643ab3b5bd39040912388dcdabf6b88085" +checksum = "8bbfad0063610ac26ee79f7484739e2b07555a75c42453b89263830b5c8103bc" dependencies = [ "cc", ] [[package]] name = "openssl-sys" -version = "0.9.98" +version = "0.9.99" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c1665caf8ab2dc9aef43d1c0023bd904633a6a05cb30b0ad59bec2ae986e57a7" +checksum = "22e1bf214306098e4832460f797824c05d25aacdf896f64a985fb0fd992454ae" dependencies = [ "cc", "libc", @@ -3135,15 +3085,6 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8835116a5c179084a830efb3adc117ab007512b535bc1a21c991d3b32a6b44dd" -[[package]] -name = "pbkdf2" -version = "0.11.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "83a0692ec44e4cf1ef28ca317f14f8f07da2d95ec3fa01f86e4467b725e60917" -dependencies = [ - "digest", -] - [[package]] name = "pbkdf2" version = "0.12.2" @@ -3245,7 +3186,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e1d3afd2628e69da2be385eb6f2fd57c8ac7977ceeff6dc166ff1657b0e386a9" dependencies = [ "fixedbitset", - "indexmap 2.1.0", + "indexmap 2.2.1", ] [[package]] @@ -3319,7 +3260,7 @@ version = "0.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2c5f20f71a68499ff32310f418a6fad8816eac1a2859ed3f0c5c741389dd6208" dependencies = [ - "base64 0.21.6", + "base64 0.21.7", "oid", "picky-asn1", "picky-asn1-der", @@ -3328,18 +3269,18 @@ dependencies = [ [[package]] name = "pin-project" -version = "1.1.3" +version = "1.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fda4ed1c6c173e3fc7a83629421152e01d7b1f9b7f65fb301e490e8cfc656422" +checksum = "0302c4a0442c456bd56f841aee5c3bfd17967563f6fadc9ceb9f9c23cf3807e0" dependencies = [ "pin-project-internal", ] [[package]] name = "pin-project-internal" -version = "1.1.3" +version = "1.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4359fd9c9171ec6e8c62926d6faaf553a8dc3f64e1507e76da7911b4f6a04405" +checksum = "266c042b60c9c76b8d53061e52b2e0d1116abc57cefc8c5cd671619a56ac3690" dependencies = [ "proc-macro2", "quote", @@ -3381,22 +3322,6 @@ dependencies = [ "spki 0.7.3", ] -[[package]] -name = "pkcs5" -version = "0.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d10d862c1f5c302df3c3dbfd837afbae0ad09551a6fa37b10311cb5890a80175" -dependencies = [ - "aes", - "cbc", - "der 0.6.1", - "hmac", - "pbkdf2 0.11.0", - "scrypt 0.10.0", - "sha2", - "spki 0.6.0", -] - [[package]] name = "pkcs5" version = "0.7.1" @@ -3406,8 +3331,8 @@ dependencies = [ "aes", "cbc", "der 0.7.8", - "pbkdf2 0.12.2", - "scrypt 0.11.0", + "pbkdf2", + "scrypt", "sha2", "spki 0.7.3", ] @@ -3419,8 +3344,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9eca2c590a5f85da82668fa685c09ce2888b9430e83299debf1f34b65fd4a4ba" dependencies = [ "der 0.6.1", - "pkcs5 0.5.0", - "rand_core", "spki 0.6.0", ] @@ -3431,16 +3354,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" dependencies = [ "der 0.7.8", - "pkcs5 0.7.1", + "pkcs5", "rand_core", "spki 0.7.3", ] [[package]] name = "pkg-config" -version = "0.3.28" +version = "0.3.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69d3587f8a9e599cc7ec2c00e331f71c4e69a5f9a4b8a6efd5b07466b9736f9a" +checksum = "2900ede94e305130c13ddd391e0ab7cbaeb783945ae07a279c268cb05109c6cb" [[package]] name = "polyval" @@ -3511,9 +3434,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.76" +version = "1.0.78" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95fc56cda0b5c3325f5fbbd7ff9fda9e02bb00bb3dac51252d2f1bfa1cb8cc8c" +checksum = "e2422ad645d89c99f8f3e6b88a9fdeca7fabeac836b1002371c4367c8f984aae" dependencies = [ "unicode-ident", ] @@ -3663,11 +3586,11 @@ dependencies = [ "anyhow", "assert-json-diff", "async-trait", - "base64 0.21.6", + "base64 0.21.7", "cfg-if", "chrono", - "clap 4.4.14", - "env_logger 0.10.1", + "clap 4.4.18", + "env_logger 0.10.2", "log", "path-clean", "prost", @@ -3688,9 +3611,9 @@ dependencies = [ [[package]] name = "regex" -version = "1.10.2" +version = "1.10.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "380b951a9c5e80ddfd6136919eef32310721aa4aacd4889a8d39124b026ab343" +checksum = "b62dbe01f0b06f9d8dc7d49e05a0785f153b00b2c227856282f671e0318c9b15" dependencies = [ "aho-corasick", "memchr", @@ -3700,9 +3623,9 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.4.3" +version = "0.4.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f804c7828047e88b2d32e2d7fe5a105da8ee3264f01902f796c8e067dc2483f" +checksum = "5bb987efffd3c6d0d8f5f89510bb458559eab11e4f869acb20bf845e016259cd" dependencies = [ "aho-corasick", "memchr", @@ -3723,13 +3646,13 @@ checksum = "e898588f33fdd5b9420719948f9f2a32c922a246964576f71ba7f24f80610fbc" [[package]] name = "reqwest" -version = "0.11.23" +version = "0.11.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "37b1ae8d9ac08420c66222fb9096fc5de435c3c48542bc5336c51892cffafb41" +checksum = "c6920094eb85afde5e4a138be3f2de8bbdf28000f0029e72c45025a56b042251" dependencies = [ - "base64 0.21.6", + "base64 0.21.7", "bytes", - "cookie", + "cookie 0.17.0", "cookie_store", "encoding_rs", "futures-core", @@ -3753,6 +3676,7 @@ dependencies = [ "serde", "serde_json", "serde_urlencoded", + "sync_wrapper", "system-configuration", "tokio", "tokio-native-tls", @@ -3769,7 +3693,7 @@ dependencies = [ [[package]] name = "resource_uri" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=42b7c96#42b7c9687ecd0907ef70da31cf290a60ee8432cd" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=8b0dbeb#8b0dbebf714b69c162c0c34b3b53d72e2da665b8" dependencies = [ "anyhow", "serde", @@ -3848,27 +3772,6 @@ dependencies = [ "zeroize", ] -[[package]] -name = "rsa" -version = "0.8.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "55a77d189da1fee555ad95b7e50e7457d91c0e089ec68ca69ad2989413bbdab4" -dependencies = [ - "byteorder", - "digest", - "num-bigint-dig", - "num-integer", - "num-iter", - "num-traits", - "pkcs1 0.4.1", - "pkcs8 0.9.0", - "rand_core", - "sha2", - "signature 2.2.0", - "subtle", - "zeroize", -] - [[package]] name = "rsa" version = "0.9.6" @@ -3970,11 +3873,11 @@ dependencies = [ [[package]] name = "rustix" -version = "0.38.28" +version = "0.38.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72e572a5e8ca657d7366229cdde4bd14c4eb5499a9573d4d366fe1b599daa316" +checksum = "322394588aaf33c24007e8bb3238ee3e4c5c09c084ab32bc73890b99ff326bca" dependencies = [ - "bitflags 2.4.1", + "bitflags 2.4.2", "errno", "libc", "linux-raw-sys", @@ -4011,7 +3914,7 @@ version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c" dependencies = [ - "base64 0.21.6", + "base64 0.21.7", ] [[package]] @@ -4056,9 +3959,9 @@ dependencies = [ [[package]] name = "scc" -version = "2.0.9" +version = "2.0.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0a11062137cca11873a7204f971abf920c32660d0396009d5acbab11e431d437" +checksum = "903471e09ef1bf20830512faf69ef92970a3e7abeb88cfdc2f8ceea6f28f5c8d" [[package]] name = "schannel" @@ -4095,25 +3998,13 @@ dependencies = [ "syn 2.0.48", ] -[[package]] -name = "scrypt" -version = "0.10.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f9e24d2b632954ded8ab2ef9fea0a0c769ea56ea98bddbafbad22caeeadf45d" -dependencies = [ - "hmac", - "pbkdf2 0.11.0", - "salsa20", - "sha2", -] - [[package]] name = "scrypt" version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0516a385866c09368f0b5bcd1caff3366aace790fcd46e2bb032697bb172fd1f" dependencies = [ - "pbkdf2 0.12.2", + "pbkdf2", "salsa20", "sha2", ] @@ -4191,9 +4082,9 @@ dependencies = [ [[package]] name = "serde" -version = "1.0.195" +version = "1.0.196" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "63261df402c67811e9ac6def069e4786148c4563f4b50fd4bf30aa370d626b02" +checksum = "870026e60fa08c69f064aa766c10f10b1d62db9ccd4d0abb206472bee0ce3b32" dependencies = [ "serde_derive", ] @@ -4218,9 +4109,9 @@ dependencies = [ [[package]] name = "serde_derive" -version = "1.0.195" +version = "1.0.196" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "46fe8f8603d81ba86327b23a2e9cdf49e1255fb94a4c5f297f6ee0547178ea2c" +checksum = "33c85360c95e7d137454dc81d9a4ed2b8efd8fbe19cee57357b32b9771fccb67" dependencies = [ "proc-macro2", "quote", @@ -4229,9 +4120,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.111" +version = "1.0.113" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "176e46fa42316f18edd598015a5166857fc835ec732f5215eac6b7bdbf0a84f4" +checksum = "69801b70b1c3dac963ecb03a364ba0ceda9cf60c71cfe475e99864759c8b8a79" dependencies = [ "itoa", "ryu", @@ -4398,9 +4289,9 @@ dependencies = [ [[package]] name = "shlex" -version = "1.2.0" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7cee0529a6d40f580e7a5e6c495c8fbfe21b7b52795ed4bb5e62cdf92bc6380" +checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "signal-hook-registry" @@ -4476,9 +4367,9 @@ dependencies = [ [[package]] name = "smallvec" -version = "1.11.2" +version = "1.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970" +checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" [[package]] name = "socket2" @@ -4949,7 +4840,7 @@ checksum = "3082666a3a6433f7f511c7192923fa1fe07c69332d3c6a2e6bb040b569199d5a" dependencies = [ "async-trait", "axum", - "base64 0.21.6", + "base64 0.21.7", "bytes", "futures-core", "futures-util", @@ -5174,9 +5065,9 @@ checksum = "ed646292ffc8188ef8ea4d1e0e0150fb15a5c2e12ad9b8fc191ae7a8a7f3c4b9" [[package]] name = "unicode-bidi" -version = "0.3.14" +version = "0.3.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6f2528f27a9eb2b21e69c95319b30bd0efd85d09c379741b0f78ea1d86be2416" +checksum = "08f95100a766bf4f8f28f90d77e0a5461bbdb219042e7679bebe79004fed8d75" [[package]] name = "unicode-ident" @@ -5233,7 +5124,7 @@ version = "2.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f8cdd25c339e200129fe4de81451814e5228c9b771d57378817d6117cc2b3f97" dependencies = [ - "base64 0.21.6", + "base64 0.21.7", "log", "once_cell", "rustls 0.21.10", @@ -5264,9 +5155,9 @@ checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a" [[package]] name = "uuid" -version = "1.6.1" +version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e395fcf16a7a3d8127ec99782007af141946b4795001f876d54fb0d55978560" +checksum = "f00cc9702ca12d3c81455259621e676d0f7251cec66a21e98fe2e9a37db93b2a" dependencies = [ "getrandom", "serde", @@ -5313,9 +5204,9 @@ dependencies = [ "asn1-rs", "assert-json-diff", "async-trait", - "az-snp-vtpm 0.4.1", - "az-tdx-vtpm 0.4.1", - "base64 0.21.6", + "az-snp-vtpm", + "az-tdx-vtpm", + "base64 0.21.7", "bincode", "byteorder", "cfg-if", @@ -5386,9 +5277,9 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] name = "wasm-bindgen" -version = "0.2.89" +version = "0.2.90" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0ed0d4f68a3015cc185aff4db9506a015f4b96f95303897bfa23f846db54064e" +checksum = "b1223296a201415c7fad14792dbefaace9bd52b62d33453ade1c5b5f07555406" dependencies = [ "cfg-if", "wasm-bindgen-macro", @@ -5396,9 +5287,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-backend" -version = "0.2.89" +version = "0.2.90" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b56f625e64f3a1084ded111c4d5f477df9f8c92df113852fa5a374dbda78826" +checksum = "fcdc935b63408d58a32f8cc9738a0bffd8f05cc7c002086c6ef20b7312ad9dcd" dependencies = [ "bumpalo", "log", @@ -5411,9 +5302,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-futures" -version = "0.4.39" +version = "0.4.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ac36a15a220124ac510204aec1c3e5db8a22ab06fd6706d881dc6149f8ed9a12" +checksum = "bde2032aeb86bdfaecc8b261eef3cba735cc426c1f3a3416d1e0791be95fc461" dependencies = [ "cfg-if", "js-sys", @@ -5423,9 +5314,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.89" +version = "0.2.90" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0162dbf37223cd2afce98f3d0785506dcb8d266223983e4b5b525859e6e182b2" +checksum = "3e4c238561b2d428924c49815533a8b9121c664599558a5d9ec51f8a1740a999" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -5433,9 +5324,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.89" +version = "0.2.90" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0eb82fcb7930ae6219a7ecfd55b217f5f0893484b7a13022ebb2b2bf20b5283" +checksum = "bae1abb6806dc1ad9e560ed242107c0f6c84335f1749dd4e8ddb012ebd5e25a7" dependencies = [ "proc-macro2", "quote", @@ -5446,15 +5337,15 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.89" +version = "0.2.90" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ab9b36309365056cd639da3134bf87fa8f3d86008abf99e612384a6eecd459f" +checksum = "4d91413b1c31d7539ba5ef2451af3f0b833a005eb27a631cec32bc0635a8602b" [[package]] name = "web-sys" -version = "0.3.66" +version = "0.3.67" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "50c24a44ec86bb68fbecd1b3efed7e85ea5621b39b35ef2766b66cd984f8010f" +checksum = "58cd2333b6e0be7a39605f0e255892fd7418a682d8da8fe042fe25128794d2ed" dependencies = [ "js-sys", "wasm-bindgen", diff --git a/attestation-service/verifier/Cargo.toml b/attestation-service/verifier/Cargo.toml index 1a09dd380..23d6d12ef 100644 --- a/attestation-service/verifier/Cargo.toml +++ b/attestation-service/verifier/Cargo.toml @@ -18,8 +18,8 @@ cca-verifier = [ "ear", "veraison-apiclient" ] anyhow.workspace = true asn1-rs = { version = "0.5.1", optional = true } async-trait.workspace = true -az-snp-vtpm = { version = "0.4.1", default-features = false, features = ["verifier"], optional = true } -az-tdx-vtpm = { version = "0.4.1", default-features = false, features = ["verifier"], optional = true } +az-snp-vtpm = { version = "0.5.1", default-features = false, features = ["verifier"], optional = true } +az-tdx-vtpm = { version = "0.5.1", default-features = false, features = ["verifier"], optional = true } base64 = "0.21" bincode = "1.3.3" byteorder = "1" diff --git a/attestation-service/verifier/src/az_snp_vtpm/mod.rs b/attestation-service/verifier/src/az_snp_vtpm/mod.rs index f947d2b48..0dfdc6f8c 100644 --- a/attestation-service/verifier/src/az_snp_vtpm/mod.rs +++ b/attestation-service/verifier/src/az_snp_vtpm/mod.rs @@ -48,9 +48,10 @@ impl Verifier for AzSnpVtpm { /// The following verification steps are performed: /// 1. TPM Quote has been signed by AK included in the HCL variable data /// 2. Attestation report_data matches TPM Quote nonce - /// 3. SNP report's report_data field matches hashed HCL variable data - /// 4. SNP Report is genuine - /// 5. SNP Report has been issued in VMPL 0 + /// 3. TPM PCRs' digest matches the digest in the Quote + /// 4. SNP report's report_data field matches hashed HCL variable data + /// 5. SNP Report is genuine + /// 6. SNP Report has been issued in VMPL 0 async fn evaluate( &self, evidence: &[u8], @@ -73,6 +74,8 @@ impl Verifier for AzSnpVtpm { verify_nonce(&evidence.quote, expected_report_data)?; + verify_pcrs(&evidence.quote)?; + let var_data_hash = hcl_report.var_data_sha256(); let snp_report = hcl_report.try_into()?; verify_report_data(&var_data_hash, &snp_report)?; @@ -106,6 +109,14 @@ fn verify_signature(quote: &Quote, hcl_report: &HclReport) -> Result<()> { Ok(()) } +fn verify_pcrs(quote: &Quote) -> Result<()> { + quote + .verify_pcrs() + .context("Digest of PCRs does not match digest in Quote")?; + debug!("PCR verification completed successfully"); + Ok(()) +} + fn verify_report_data(var_data_hash: &[u8; 32], snp_report: &AttestationReport) -> Result<()> { if *var_data_hash != snp_report.report_data[..32] { bail!("SNP report report_data mismatch"); @@ -133,10 +144,10 @@ fn verify_snp_report( #[cfg(test)] mod tests { use super::*; + use az_snp_vtpm::vtpm::VerifyError; - const REPORT: &[u8; 2048] = include_bytes!("../../test_data/az-snp-vtpm/hcl-report.bin"); - const SIGNATURE: &[u8; 256] = include_bytes!("../../test_data/az-snp-vtpm/tpm-quote.sig"); - const MESSAGE: &[u8; 122] = include_bytes!("../../test_data/az-snp-vtpm/tpm-quote.msg"); + const REPORT: &[u8; 2600] = include_bytes!("../../test_data/az-snp-vtpm/hcl-report.bin"); + const QUOTE: &[u8; 1362] = include_bytes!("../../test_data/az-snp-vtpm/quote.bin"); const REPORT_DATA: &[u8] = "challenge".as_bytes(); #[test] @@ -152,12 +163,17 @@ mod tests { fn test_verify_snp_report_failure() { let mut wrong_report = REPORT.clone(); // messing with snp report - wrong_report[0x00b0] = 0; + wrong_report[0x01a6] = 0; let hcl_report = HclReport::new(wrong_report.to_vec()).unwrap(); let snp_report = hcl_report.try_into().unwrap(); let vcek = Vcek::from_pem(include_str!("../../test_data/az-snp-vtpm/vcek.pem")).unwrap(); let vendor_certs = load_milan_cert_chain().as_ref().unwrap(); - verify_snp_report(&snp_report, &vcek, vendor_certs).unwrap_err(); + assert_eq!( + verify_snp_report(&snp_report, &vcek, vendor_certs) + .unwrap_err() + .to_string(), + "SNP version mismatch", + ); } #[test] @@ -175,61 +191,86 @@ mod tests { let hcl_report = HclReport::new(wrong_report.to_vec()).unwrap(); let var_data_hash = hcl_report.var_data_sha256(); let snp_report = hcl_report.try_into().unwrap(); - verify_report_data(&var_data_hash, &snp_report).unwrap_err(); + assert_eq!( + verify_report_data(&var_data_hash, &snp_report) + .unwrap_err() + .to_string(), + "SNP report report_data mismatch" + ); } #[test] fn test_verify_signature() { - let quote = Quote { - signature: SIGNATURE.to_vec(), - message: MESSAGE.to_vec(), - }; + let quote: Quote = bincode::deserialize(QUOTE).unwrap(); let hcl_report = HclReport::new(REPORT.to_vec()).unwrap(); verify_signature("e, &hcl_report).unwrap(); } #[test] fn test_verify_quote_signature_failure() { - let mut wrong_message = MESSAGE.clone(); - wrong_message.reverse(); - let wrong_quote = Quote { - signature: SIGNATURE.to_vec(), - message: wrong_message.to_vec(), - }; + let mut quote = QUOTE.clone(); + quote[0x030] = 0; + let wrong_quote: Quote = bincode::deserialize("e).unwrap(); + let hcl_report = HclReport::new(REPORT.to_vec()).unwrap(); - verify_signature(&wrong_quote, &hcl_report).unwrap_err(); + assert_eq!( + verify_signature(&wrong_quote, &hcl_report) + .unwrap_err() + .downcast_ref::() + .unwrap() + .to_string(), + VerifyError::SignatureMismatch.to_string() + ); } #[test] fn test_verify_akpub_failure() { - let quote = Quote { - signature: SIGNATURE.to_vec(), - message: MESSAGE.to_vec(), - }; + let quote: Quote = bincode::deserialize(QUOTE).unwrap(); let mut wrong_report = REPORT.clone(); // messing with AKpub in var data wrong_report[0x0540] = 0; let wrong_hcl_report = HclReport::new(wrong_report.to_vec()).unwrap(); - verify_signature("e, &wrong_hcl_report).unwrap_err(); + assert_eq!( + verify_signature("e, &wrong_hcl_report) + .unwrap_err() + .to_string(), + "Failed to get AKpub", + ); } #[test] fn test_verify_quote_nonce() { - let quote = Quote { - signature: SIGNATURE.to_vec(), - message: MESSAGE.to_vec(), - }; + let quote: Quote = bincode::deserialize(QUOTE).unwrap(); verify_nonce("e, &REPORT_DATA).unwrap(); } #[test] fn test_verify_quote_nonce_failure() { - let quote = Quote { - signature: SIGNATURE.to_vec(), - message: MESSAGE.to_vec(), - }; + let quote: Quote = bincode::deserialize(QUOTE).unwrap(); let mut wrong_report_data = REPORT_DATA.to_vec(); wrong_report_data.reverse(); verify_nonce("e, &wrong_report_data).unwrap_err(); } + + #[test] + fn test_verify_pcrs() { + let quote: Quote = bincode::deserialize(QUOTE).unwrap(); + verify_pcrs("e).unwrap(); + } + + #[test] + fn test_verify_pcrs_failure() { + let mut quote = QUOTE.clone(); + quote[0x0169] = 0; + let wrong_quote: Quote = bincode::deserialize("e).unwrap(); + + assert_eq!( + verify_pcrs(&wrong_quote) + .unwrap_err() + .downcast_ref::() + .unwrap() + .to_string(), + VerifyError::PcrMismatch.to_string() + ); + } } diff --git a/attestation-service/verifier/src/az_tdx_vtpm/mod.rs b/attestation-service/verifier/src/az_tdx_vtpm/mod.rs index 7f1100938..274bca9f0 100644 --- a/attestation-service/verifier/src/az_tdx_vtpm/mod.rs +++ b/attestation-service/verifier/src/az_tdx_vtpm/mod.rs @@ -30,8 +30,9 @@ impl Verifier for AzTdxVtpm { /// The following verification steps are performed: /// 1. TPM Quote has been signed by AK included in the HCL variable data /// 2. Attestation nonce matches TPM Quote nonce - /// 3. TD Quote is genuine - /// 4. TD Report's report_data field matches hashed HCL variable data + /// 3. TPM PCRs' digest matches the digest in the Quote + /// 4. TD Quote is genuine + /// 5. TD Report's report_data field matches hashed HCL variable data async fn evaluate( &self, evidence: &[u8], @@ -54,6 +55,8 @@ impl Verifier for AzTdxVtpm { verify_tpm_nonce(&evidence.tpm_quote, expected_report_data)?; + verify_pcrs(&evidence.tpm_quote)?; + ecdsa_quote_verification(&evidence.td_quote).await?; let td_quote = parse_tdx_quote(&evidence.td_quote)?; @@ -84,6 +87,14 @@ fn verify_tpm_signature(quote: &TpmQuote, hcl_report: &HclReport) -> Result<()> Ok(()) } +fn verify_pcrs(quote: &TpmQuote) -> Result<()> { + quote + .verify_pcrs() + .context("Digest of PCRs does not match digest in Quote")?; + debug!("PCR verification completed successfully"); + Ok(()) +} + fn verify_tpm_nonce(quote: &TpmQuote, report_data: &[u8]) -> Result<()> { let nonce = quote.nonce()?; if nonce != report_data[..] { @@ -96,10 +107,11 @@ fn verify_tpm_nonce(quote: &TpmQuote, report_data: &[u8]) -> Result<()> { #[cfg(test)] mod tests { use super::*; + use az_tdx_vtpm::vtpm::Quote; + use az_tdx_vtpm::vtpm::VerifyError; const REPORT: &[u8; 2600] = include_bytes!("../../test_data/az-tdx-vtpm/hcl-report.bin"); - const SIGNATURE: &[u8; 256] = include_bytes!("../../test_data/az-tdx-vtpm/tpm-quote.sig"); - const MESSAGE: &[u8; 126] = include_bytes!("../../test_data/az-tdx-vtpm/tpm-quote.msg"); + const QUOTE: &[u8; 1362] = include_bytes!("../../test_data/az-tdx-vtpm/quote.bin"); const TD_QUOTE: &[u8; 5006] = include_bytes!("../../test_data/az-tdx-vtpm/td-quote.bin"); #[test] @@ -115,48 +127,71 @@ mod tests { wrong_report[0x0880] += 1; let hcl_report = HclReport::new(wrong_report.to_vec()).unwrap(); let td_quote = parse_tdx_quote(TD_QUOTE).unwrap(); - verify_hcl_var_data(&hcl_report, &td_quote).unwrap_err(); + assert_eq!( + verify_hcl_var_data(&hcl_report, &td_quote) + .unwrap_err() + .to_string(), + "TDX Quote report data mismatch" + ); } #[test] fn test_verify_tpm_signature() { - let quote = TpmQuote { - signature: SIGNATURE.to_vec(), - message: MESSAGE.to_vec(), - }; + let quote: Quote = bincode::deserialize(QUOTE).unwrap(); let hcl_report = HclReport::new(REPORT.to_vec()).unwrap(); verify_tpm_signature("e, &hcl_report).unwrap(); } #[test] fn test_verify_tpm_signature_failure() { - let mut wrong_message = MESSAGE.clone(); - wrong_message.reverse(); - let wrong_quote = TpmQuote { - signature: SIGNATURE.to_vec(), - message: wrong_message.to_vec(), - }; + let mut quote = QUOTE.clone(); + quote[0x020] = 0; + let wrong_quote: Quote = bincode::deserialize("e).unwrap(); + let hcl_report = HclReport::new(REPORT.to_vec()).unwrap(); - verify_tpm_signature(&wrong_quote, &hcl_report).unwrap_err(); + assert_eq!( + verify_tpm_signature(&wrong_quote, &hcl_report) + .unwrap_err() + .downcast_ref::() + .unwrap() + .to_string(), + VerifyError::SignatureMismatch.to_string() + ); } #[test] fn test_verify_tpm_nonce() { - let quote = TpmQuote { - signature: SIGNATURE.to_vec(), - message: MESSAGE.to_vec(), - }; - let nonce = "tdx challenge".as_bytes(); + let quote: Quote = bincode::deserialize(QUOTE).unwrap(); + let nonce = "challenge".as_bytes(); verify_tpm_nonce("e, nonce).unwrap(); } #[test] fn test_verify_tpm_nonce_failure() { - let quote = TpmQuote { - signature: SIGNATURE.to_vec(), - message: MESSAGE.to_vec(), - }; + let quote: Quote = bincode::deserialize(QUOTE).unwrap(); let wrong_nonce = "wrong".as_bytes(); verify_tpm_nonce("e, wrong_nonce).unwrap_err(); } + + #[test] + fn test_verify_pcrs() { + let quote: Quote = bincode::deserialize(QUOTE).unwrap(); + verify_pcrs("e).unwrap(); + } + + #[test] + fn test_verify_pcrs_failure() { + let mut quote = QUOTE.clone(); + quote[0x0169] = 0; + let wrong_quote: Quote = bincode::deserialize("e).unwrap(); + + assert_eq!( + verify_pcrs(&wrong_quote) + .unwrap_err() + .downcast_ref::() + .unwrap() + .to_string(), + VerifyError::PcrMismatch.to_string() + ); + } } diff --git a/attestation-service/verifier/src/snp/mod.rs b/attestation-service/verifier/src/snp/mod.rs index a282e13d2..3723ad510 100644 --- a/attestation-service/verifier/src/snp/mod.rs +++ b/attestation-service/verifier/src/snp/mod.rs @@ -173,19 +173,19 @@ pub(crate) fn verify_report_signature( // tcb version // these integer extensions are 3 bytes with the last byte as the data if get_oid_int(&parsed_vcek, UCODE_SPL_OID)? != report.reported_tcb.microcode { - return Err(anyhow!("Microcode verion mismatch")); + return Err(anyhow!("Microcode version mismatch")); } if get_oid_int(&parsed_vcek, SNP_SPL_OID)? != report.reported_tcb.snp { - return Err(anyhow!("SNP verion mismatch")); + return Err(anyhow!("SNP version mismatch")); } if get_oid_int(&parsed_vcek, TEE_SPL_OID)? != report.reported_tcb.tee { - return Err(anyhow!("TEE verion mismatch")); + return Err(anyhow!("TEE version mismatch")); } if get_oid_int(&parsed_vcek, LOADER_SPL_OID)? != report.reported_tcb.bootloader { - return Err(anyhow!("Boot loader verion mismatch")); + return Err(anyhow!("Boot loader version mismatch")); } // verify report signature diff --git a/attestation-service/verifier/test_data/az-snp-vtpm/hcl-report.bin b/attestation-service/verifier/test_data/az-snp-vtpm/hcl-report.bin index c85e9e2f5..5c58c8dbf 100644 Binary files a/attestation-service/verifier/test_data/az-snp-vtpm/hcl-report.bin and b/attestation-service/verifier/test_data/az-snp-vtpm/hcl-report.bin differ diff --git a/attestation-service/verifier/test_data/az-snp-vtpm/quote.bin b/attestation-service/verifier/test_data/az-snp-vtpm/quote.bin new file mode 100644 index 000000000..76d0dd044 Binary files /dev/null and b/attestation-service/verifier/test_data/az-snp-vtpm/quote.bin differ diff --git a/attestation-service/verifier/test_data/az-snp-vtpm/vcek.pem b/attestation-service/verifier/test_data/az-snp-vtpm/vcek.pem index 6f6d7e165..c7e9c01c8 100644 --- a/attestation-service/verifier/test_data/az-snp-vtpm/vcek.pem +++ b/attestation-service/verifier/test_data/az-snp-vtpm/vcek.pem @@ -3,29 +3,29 @@ MIIFTDCCAvugAwIBAgIBADBGBgkqhkiG9w0BAQowOaAPMA0GCWCGSAFlAwQCAgUA oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATCjAwIBATB7MRQwEgYD VQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDASBgNVBAcMC1NhbnRhIENs YXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5jZWQgTWljcm8gRGV2aWNl -czESMBAGA1UEAwwJU0VWLU1pbGFuMB4XDTIzMDEyNDE3NTgyNloXDTMwMDEyNDE3 -NTgyNlowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYD +czESMBAGA1UEAwwJU0VWLU1pbGFuMB4XDTIzMDEwMTA1MzExOFoXDTMwMDEwMTA1 +MzExOFowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYD VQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFkdmFuY2Vk IE1pY3JvIERldmljZXMxETAPBgNVBAMMCFNFVi1WQ0VLMHYwEAYHKoZIzj0CAQYF -K4EEACIDYgAExmG1ZbuoAQK93USRyZQcsyobfbaAEoKEELf/jK39cOVJt1t4s83W -XM3rqIbS7qHUHQw/FGyOvdaEUs5+wwxpCWfDnmJMAQ+ctgZqgDEKh1NqlOuuKcKq -2YAWE5cTH7sHo4IBFjCCARIwEAYJKwYBBAGceAEBBAMCAQAwFwYJKwYBBAGceAEC +K4EEACIDYgAEP3PCTk5P1qVUrvZPD+Motv8TNuSxJs5IR21EHLVk7HKQ3bNFknCc +mwE4ldVb27hjHGpizC9Oom6HHfa7XjX+3P+77N217Tn8/u2MUWhlv7koTxe/xwuV +Xn07DiWV7ZSKo4IBFjCCARIwEAYJKwYBBAGceAEBBAMCAQAwFwYJKwYBBAGceAEC BAoWCE1pbGFuLUIwMBEGCisGAQQBnHgBAwEEAwIBAzARBgorBgEEAZx4AQMCBAMC AQAwEQYKKwYBBAGceAEDBAQDAgEAMBEGCisGAQQBnHgBAwUEAwIBADARBgorBgEE AZx4AQMGBAMCAQAwEQYKKwYBBAGceAEDBwQDAgEAMBEGCisGAQQBnHgBAwMEAwIB -CDARBgorBgEEAZx4AQMIBAMCAXMwTQYJKwYBBAGceAEEBEDDhCejDUx6+dlvehW5 -cmmCWmTLdqI1L/1dGBFdia1HP46MC82aXZKGYSutSq37RCYgWjueT+qCMBE1oXDk -d1JOMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0B -AQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBA4ICAQACgCai9x8DAWzX/2IelNWm -ituEBSiq9C9eDnBEckQYikAhPasfagnoWFAtKu/ZWTKHi+BMbhKwswBS8W0G1ywi -cUWGlzigI4tdxxf1YBJyCoTSNssSbKmIh5jemBfrvIBo1yEd+e56ZJMdhN8e+xWU -bvovUC2/7Dl76fzAaACLSorZUv5XPJwKXwEOHo7FIcREjoZn+fKjJTnmdXce0LD6 -9RHr+r+ceyE79gmK31bI9DYiJoL4LeGdXZ3gMOVDR1OnDos5lOBcV+quJ6JujpgH -d9g3Sa7Du7pusD9Fdap98ocZslRfFjFi//2YdVM4MKbq6IwpYNB+2PCEKNC7SfbO -NgZYJuPZnM/wViES/cP7MZNJ1KUKBI9yh6TmlSsZZOclGJvrOsBZimTXpATjdNMt -cluKwqAUUzYQmU7bf2TMdOXyA9iH5wIpj1kWGE1VuFADTKILkTc6LzLzOWCofLxf -onhTtSDtzIv/uel547GZqq+rVRvmIieEuEvDETwuookfV6qu3D/9KuSr9xiznmEg -xynud/f525jppJMcD/ofbQxUZuGKvb3f3zy+aLxqidoX7gca2Xd9jyUy5Y/83+ZN -bz4PZx81UJzXVI9ABEh8/xilATh1ZxOePTBJjN7lgr0lXtKYjV/43yyxgUYrXNZS -oLSG2dLCK9mjjraPjau34Q== +CDARBgorBgEEAZx4AQMIBAMCAXMwTQYJKwYBBAGceAEEBEA6dUWWsrgPLlF2yq6v +VEvZSbse/BceAuFyGwp2fd/Jn04lmNJXQQtXEr6LTctPmYOLymx50lAmx2rwnxl5 +gvA8MEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0B +AQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBA4ICAQA3s4HR1ZshYd/PeYXfiuLV +kmTCWm+OBd9HVM0hXcNv2KWxRzmG7lBzNKfk71DLqsjOYK5uAS0Jdad9iSbJS6F9 +nQNL1O7/n8M3K6OYa1SYFubU1tXJjRL3Bzx/rcL1w6sGQIeXwDXNjxyPO433YbIW +oQ6VuUj5AeTLlp3hChfrQ0Nkj3DbfsmDmSL4F0vsSq629YxQ6XTT+tIT897iMMVI +IMUeJ4O7wxcMnoKoNbM+dTmKrkDm4/FdqYpsT2ziPD9FcTcMud0qZGy8YmUCa9cV +/g7xKrDfRe8A8FDe1iFAVJ62xhS7GiOx/F2Gd/oEHto9dwE4/OVRmZlFy1njlxZt +3Dd6W8z0TLmiyHngApx8VMJHNuf4+UeiDYkWo14ZzGlsMKHweGQhy/bRbkIpjNB/ +fUZsn404ZxV8+mbTdeMftIUAofDHryPq2/K4FZB6IucEil9S/dejUerlAlDn+uq/ +TT/FatsAv8gMnTHNB2/GRDRuiLf5bqRGXFRelV8K0edfoxxvW8JjiK2h6bsQf4aA +JPH53P1GFWvEu9zOsGTldzOIvcPdykMFxhssRryI4YTTwAg6BPpXM83kdnGCEPgU +pNO5zaEImuqtrxdmOZt8qGxyQ2DYgwS0QC8srEIxBtM9eBSJAodvgUiovwACF4+w +5CU3rQt0CzyWLJop7k8GMw== -----END CERTIFICATE----- diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/hcl-report.bin b/attestation-service/verifier/test_data/az-tdx-vtpm/hcl-report.bin index cca12d37a..daca213c6 100644 Binary files a/attestation-service/verifier/test_data/az-tdx-vtpm/hcl-report.bin and b/attestation-service/verifier/test_data/az-tdx-vtpm/hcl-report.bin differ diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/quote.bin b/attestation-service/verifier/test_data/az-tdx-vtpm/quote.bin new file mode 100644 index 000000000..26e9da2c8 Binary files /dev/null and b/attestation-service/verifier/test_data/az-tdx-vtpm/quote.bin differ diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/td-quote.bin b/attestation-service/verifier/test_data/az-tdx-vtpm/td-quote.bin index 2fb8f51ec..b5b00b282 100644 Binary files a/attestation-service/verifier/test_data/az-tdx-vtpm/td-quote.bin and b/attestation-service/verifier/test_data/az-tdx-vtpm/td-quote.bin differ diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/tpm-quote.msg b/attestation-service/verifier/test_data/az-tdx-vtpm/tpm-quote.msg deleted file mode 100644 index 6653c5d5d..000000000 Binary files a/attestation-service/verifier/test_data/az-tdx-vtpm/tpm-quote.msg and /dev/null differ diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/tpm-quote.sig b/attestation-service/verifier/test_data/az-tdx-vtpm/tpm-quote.sig deleted file mode 100644 index 7f137dd0b..000000000 Binary files a/attestation-service/verifier/test_data/az-tdx-vtpm/tpm-quote.sig and /dev/null differ diff --git a/kbs/tools/client/Cargo.toml b/kbs/tools/client/Cargo.toml index f9d3de4c1..a77af84a8 100644 --- a/kbs/tools/client/Cargo.toml +++ b/kbs/tools/client/Cargo.toml @@ -18,7 +18,7 @@ base64.workspace = true clap = { version = "4.0.29", features = ["derive"] } env_logger.workspace = true jwt-simple = "0.11.4" -kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "42b7c96", default-features = false } +kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "8b0dbeb", default-features = false } log.workspace = true reqwest = { version = "0.11.18", default-features = false, features = ["cookies", "json"] } serde = { version = "1.0", features = ["derive"] }